[SOLVED] PFSense stopped logging

thafener

Hi @all

Noticed today that my PFsense box stopped logging, I am running 2.2 Release. There is no refresh in system logs or even
Firewall logs at all.

Does anybody know how to fix this ?

thx thafener

firewalluser

I had this problem as well during the 2.2 beta, never got to the bottom of it, but I was getting hacked/have been hacked for a while and so far all I can show is I have some malware on some systems which has yet to be recognised by a multitude of AV & anti malware programs.

UK Police have been advised got a crime reference number but there's nothing they can do they have told me unless I can prove information is leaving my computer, which as its going out over 443 and I've yet to set up squid to do a MITM attack if possible, I'm not able to prove the information is leaving the computer. Catch 22.

Basically the UK police cant do anything, hands tied by the law I think is the phrase that best springs to mind when it suits them!

Jeremy11one

I just noticed the same problem on 2.2 release and came to the forums to get help.

My last log was on Jan 31, 5 days ago.  I now went to the log settings page and turned off "Show log entries in reverse order (newest entries on top)", saved, and then turned it back on, and now the logging is working again.  It looks like the logging service must have died for some reason on Jan 31 and never restarted itself or warned me about the problem.

Below is my log starting from when I fixed the problem:

Feb 5 13:58:18	kernel: calcru: runtime went backwards from 1394 usec to 705 usec for pid 68539 (sleep)
Feb 5 13:58:18	kernel: done.
Feb 5 13:58:18	syslogd: kernel boot file is /boot/kernel/kernel
Jan 31 09:08:28	syslogd: exiting on signal 15
Jan 31 09:08:28	php: rc.bootup: Creating rrd update script
Jan 31 09:08:28	snmpd[34837]: disk_OS_get_disks: adding device 'cd0' to device list
Jan 31 09:08:28	snmpd[34837]: disk_OS_get_disks: adding device 'da0' to device list
Jan 31 09:08:28	kernel: done.
Jan 31 09:08:28	snmpd[34837]: disk_OS_get_disks: adding device 'ada0' to device list
Jan 31 09:08:24	kernel: .done.
Jan 31 09:08:24	kernel: ...
Jan 31 09:08:23	kernel: done.
Jan 31 09:08:23	check_reload_status: Updating all dyndns
Jan 31 09:08:23	kernel: done.
Jan 31 09:08:23	php: rc.bootup: ROUTING: setting default route to [SNIPPED MY PUBLIC IP]
Jan 31 09:08:22	kernel: done.
Jan 31 09:08:21	kernel: done.
Jan 31 09:08:20	php-fpm[246]: /rc.newwanip: rc.newwanip: Info: starting on ovpns2.
Jan 31 09:08:20	php-fpm[246]: /rc.newwanip: rc.newwanip: Info: starting on ovpns1.
Jan 31 09:08:19	kernel: .done.
Jan 31 09:08:19	kernel: ..
Jan 31 09:08:19	kernel: .
Jan 31 09:08:19	kernel: pflog0: promiscuous mode enabled
Jan 31 09:08:19	check_reload_status: rc.newwanip starting ovpns2
Jan 31 09:08:19	check_reload_status: rc.newwanip starting ovpns1
Jan 31 09:08:19	kernel: ovpns2: link state changed to UP
Jan 31 09:08:19	kernel: ovpns1: link state changed to UP
Jan 31 09:08:19	kernel: tun2: changing name to 'ovpns2'
Jan 31 09:08:18	php: rc.bootup: Resyncing OpenVPN instances.
Jan 31 09:08:18	kernel: tun1: changing name to 'ovpns1'
Jan 31 09:08:18	kernel: hn2: link state changed to UP
Jan 31 09:08:18	kernel: Trying to mount root from ufs:/dev/da0s1a [rw]...
Jan 31 09:08:18	kernel: SMP: AP CPU #1 Launched!
Jan 31 09:08:18	kernel: da0: 5120MB (10485760 512 byte sectors: 255H 63S/T 652C)
Jan 31 09:08:18	kernel: da0: Command Queueing enabled
Jan 31 09:08:18	kernel: da0: 300.000MB/s transfers
Jan 31 09:08:18	kernel: da0: <msft virtual="" disk="" 1.0="">Fixed Direct Access SCSI-4 device
Jan 31 09:08:18	kernel: da0 at blkvsc0 bus 0 scbus2 target 0 lun 0
Jan 31 09:08:18	kernel: cd0: Attempt to query device size failed: NOT READY, Medium not present
Jan 31 09:08:18	kernel: cd0: 16.700MB/s transfers (WDMA2, ATAPI 12bytes, PIO 65534bytes)
Jan 31 09:08:18	kernel: cd0: <msft virtual="" cd="" rom="" 1.0="">Removable CD-ROM SCSI-5 device
Jan 31 09:08:18	kernel: cd0 at ata1 bus 0 scbus1 target 0 lun 0
Jan 31 09:08:18	kernel: ada0: Previously was known as ad0
Jan 31 09:08:18	kernel: ada0: 5120MB (10485760 512 byte sectors: 16H 63S/T 10402C)
Jan 31 09:08:18	kernel: ada0: 16.700MB/s transfers (WDMA2, PIO 65536bytes)
Jan 31 09:08:18	kernel: ada0: <virtual hd="" 1.1.0="">ATA-8 device
Jan 31 09:08:18	kernel: ada0 at ata0 bus 0 scbus0 target 0 lun 0
Jan 31 09:08:18	kernel: random: unblocking device.
Jan 31 09:08:18	kernel: hn2: <synthetic network="" interface="">on vmbus0
Jan 31 09:08:18	kernel: hn1: <synthetic network="" interface="">on vmbus0
Jan 31 09:08:18	kernel: hn0: <synthetic network="" interface="">on vmbus0
Jan 31 09:08:18	kernel:
Jan 31 09:08:18	kernel: hyperv-utils3: Hyper-V Service attaching: Hyper-V Time Synch Service
Jan 31 09:08:18	kernel: hyperv-utils3 on vmbus0
Jan 31 09:08:18	kernel:
Jan 31 09:08:18	kernel: hyperv-utils2: Hyper-V Service attaching: Hyper-V Shutdown Service
Jan 31 09:08:18	kernel: hyperv-utils2 on vmbus0
Jan 31 09:08:18	kernel:
Jan 31 09:08:18	kernel: hyperv-utils1: Hyper-V Service attaching: Hyper-V KVP Service
Jan 31 09:08:18	kernel: hyperv-utils1 on vmbus0
Jan 31 09:08:18	kernel:
Jan 31 09:08:18	kernel: hyperv-utils0: Hyper-V Service attaching: Hyper-V Heartbeat Service
Jan 31 09:08:18	kernel: hyperv-utils0 on vmbus0
Jan 31 09:08:18	kernel: storvsc0 on vmbus0
Jan 31 09:08:18	kernel: IPsec: Initialized Security Association Processing.
Jan 31 09:08:18	kernel: Timecounters tick every 10.000 msec
Jan 31 09:08:18	kernel: Timecounter "Hyper-V" frequency 10000000 Hz quality 10000000
Jan 31 09:08:18	kernel: ppc0: cannot reserve I/O port range
Jan 31 09:08:18	kernel: vga0: <generic isa="" vga="">at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Jan 31 09:08:18	kernel: sc0: VGA <16 virtual consoles, flags=0x300>
Jan 31 09:08:18	kernel: sc0: <system console="">at flags 0x100 on isa0
Jan 31 09:08:18	kernel: orm0: <isa option="" rom="">at iomem 0xc0000-0xcbfff on isa0
Jan 31 09:08:18	kernel: fd0: <1440-KB 3.5" drive> on fdc0 drive 0
Jan 31 09:08:18	kernel: fdc0: <floppy drive="" controller="" (fde)="">port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
Jan 31 09:08:18	kernel: uart1: <16550 or compatible> port 0x2f8-0x2ff irq 3 on acpi0
Jan 31 09:08:18	kernel: uart0: <16550 or compatible> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
Jan 31 09:08:18	kernel: psm0: model IntelliMouse Explorer, device ID 4
Jan 31 09:08:18	kernel: psm0: [GIANT-LOCKED]
Jan 31 09:08:18	kernel: psm0: <ps 2="" mouse="">irq 12 on atkbdc0
Jan 31 09:08:18	kernel: atkbd0: [GIANT-LOCKED]
Jan 31 09:08:18	kernel: kbd0 at atkbd0
Jan 31 09:08:18	kernel: atkbd0: <at keyboard="">irq 1 on atkbdc0
Jan 31 09:08:18	kernel: atkbdc0: <keyboard controller="" (i8042)="">port 0x60,0x64 irq 1 on acpi0
Jan 31 09:08:18	kernel: vgapci0: Boot video device
Jan 31 09:08:18	kernel: vgapci0: <vga-compatible display="">mem 0xf8000000-0xfbffffff irq 11 at device 8.0 on pci0
Jan 31 09:08:18	kernel: pci0: <bridge>at device 7.3 (no driver attached)
Jan 31 09:08:18	kernel: ata1: <ata channel="">at channel 1 on atapci0
Jan 31 09:08:18	kernel: ata0: <ata channel="">at channel 0 on atapci0
Jan 31 09:08:18	kernel: atapci0: <intel piix4="" udma33="" controller="">port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xffa0-0xffaf at device 7.1 on pci0
Jan 31 09:08:18	kernel: isa0: <isa bus="">on isab0
Jan 31 09:08:18	kernel: isab0: <pci-isa bridge="">at device 7.0 on pci0
Jan 31 09:08:18	kernel: pci0: <acpi pci="" bus="">on pcib0
Jan 31 09:08:18	kernel: pcib0: <acpi host-pci="" bridge="">port 0xcf8-0xcff on acpi0
Jan 31 09:08:18	kernel: acpi_timer0: <32-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
Jan 31 09:08:18	kernel: Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
Jan 31 09:08:18	kernel: Event timer "RTC" frequency 32768 Hz quality 0</acpi></acpi></pci-isa></isa></intel></ata></ata></bridge></vga-compatible></keyboard></at></ps></floppy></isa></system></generic></synthetic></synthetic></synthetic></virtual></msft></msft> 

bplein

I've had the same problem. Going to try and piz0t's "kick it in the pants" test

bplein

Didn't seem to help mine.

/var/logs seems to have stopped for most of the logs (the only logs that show up in the UI are the filter logs, and those appear "normal" here.

Note that all of those 500k files that last updated on 2/4 (when I cleared logs) are all binary files, no user readable text.

[2.2-RELEASE][root@pfatom.home.plein.org]/var/log: ls -lahrt
total 9606
-rw-------   1 root  wheel    40K May 12  2014 installer.log
drwxr-xr-x   2 root  wheel   512B May 12  2014 ntp
-rw-r--r--   1 root  wheel    28B Oct 20 08:58 lastlog
drwxr-xr-x  28 root  wheel   512B Jan 23 23:46 ..
drwxr-xr-x   3 root  wheel   1.0K Jan 24 17:43 .
-rw-------   1 root  wheel   5.1K Jan 24 18:02 pflog
-rw-------   1 root  wheel    10K Jan 24 18:02 spamd.log
-rw-------   1 root  wheel   500K Feb  4 23:56 wireless.log
-rw-------   1 root  wheel   500K Feb  4 23:56 vpn.log
-rw-------   1 root  wheel   500K Feb  4 23:56 system.log
-rw-------   1 root  wheel   500K Feb  4 23:56 routing.log
-rw-------   1 root  wheel   500K Feb  4 23:56 resolver.log
-rw-------   1 root  wheel   500K Feb  4 23:56 relayd.log
-rw-------   1 root  wheel   500K Feb  4 23:56 pptps.log
-rw-------   1 root  wheel   500K Feb  4 23:56 ppp.log
-rw-------   1 root  wheel   500K Feb  4 23:56 portalauth.log
-rw-------   1 root  wheel   500K Feb  4 23:56 poes.log
-rw-------   1 root  wheel   500K Feb  4 23:56 openvpn.log
-rw-------   1 root  wheel   500K Feb  4 23:56 ntpd.log
-rw-------   1 root  wheel   500K Feb  4 23:56 lighttpd.log
-rw-------   1 root  wheel   500K Feb  4 23:56 l2tps.log
-rw-------   1 root  wheel   500K Feb  4 23:56 ipsec.log
-rw-------   1 root  wheel   500K Feb  4 23:56 gateways.log
-rw-------   1 root  wheel   500K Feb  4 23:56 dhcpd.log
-rw-r--r--   1 root  wheel   7.1K Feb  5 21:14 dmesg.boot
-rw-------   1 root  wheel    23K Feb  5 21:14 userlog
-rw-------   1 root  wheel   1.1K Feb  5 22:36 utx.log
-rw-r--r--   1 root  wheel   394B Feb  5 22:36 utx.lastlogin
-rw-------   1 root  wheel   500K Feb  5 22:38 filter.log

doktornotor

@bplein:

Note that all of those 500k files that last updated on 2/4 (when I cleared logs) are all binary files, no user readable text.

That is NOT a bug. https://doc.pfsense.org/index.php/Why_can%27t_I_view_view_log_files_with_cat/grep/etc%3F_(clog)

firewalluser

@piz0t:

I just noticed the same problem on 2.2 release and came to the forums to get help.

My last log was on Jan 31, 5 days ago.  I now went to the log settings page and turned off "Show log entries in reverse order (newest entries on top)", saved, and then turned it back on, and now the logging is working again.  It looks like the logging service must have died for some reason on Jan 31 and never restarted itself or warned me about the problem.

I run my logs in reverse, might be worth switching this back to the default reverse order to see if theres any change.

@doktornotor:

@bplein:

Note that all of those 500k files that last updated on 2/4 (when I cleared logs) are all binary files, no user readable text.

That is NOT a bug. https://doc.pfsense.org/index.php/Why_can%27t_I_view_view_log_files_with_cat/grep/etc%3F_(clog)

There is currently no text in this page. You can search for this page title in other pages, or search the related logs, but you do not have permission to create this page.

Theres nothing on that page, has the text been pulled?

doktornotor

The page is just fine, the forum sucks…

bplein

OK, I understand that you can't just cat the files now.

But the files are still empty. THAT's a bug.

thafener

Hi @ll

Well for my case I found out what has happened… my trainee has moved the logs from the PFSense box instead
of copying  :o

Moved the files back meanwhile but the logs don't refresh, is there any way to repair this ?

KInd regards

thafener

doktornotor

Forget about it and reset the logs.

thafener

Thank you cool, works again :)

Jeremy11one

Update:

It's been about a week and my logs are still working.  Cycling the "Show log entries in reverse order (newest entries on top)" setting got my logs working again.  To be extra sure though, an hour after that, I also clicked the "Reset Log Files" button.  I don't know if that made any difference, but at least my logs are still working.